15-410 “...1969 > 1999?...” Protection Nov. 14, 2008

Dave Eckhardt Roger Dannenberg

1 L32_Protection 15-410, F'08 Synchronization

Project 3 due tonight  Please remember to register for late days as appropriate  One registration per day  Please register for the midnight floppy disc seminar in the 5th floor lobby  Registrations before 16:00 are most useful  Carefully consider the P3extra overtime  In general, getting a really solid kernel is the best thing » For your grade » For your education!  So once the dust has settled, run all the tests and carefully read the P4 requirements  If you know early that you will p3extra, please register early 2 15-410, F'08 Synchronization

15-610 (Spring '09)  If you want hands-on experience with tricks of the trade  N mini-projects: hints, prefetching, transactions, ...  Small, intimate class  Achievable without panic 15-412 (Fall '09)  If 410 was fun...  If you want to do more,  If you want to see how it's done “in real life”,  If you want to write real OS code used by real people,  Consider 15-412

3 15-410, F'08 Synchronization

Project 4  Monday's lecture might be beneficial

4 15-410, F'08 Outline

Protection (Chapter 14)  Protection vs. Security  Domains (Unix, Multics)  Access Matrix  Concept, Implementation  Revocation – not really covered today (see text) Mentioning EROS

5 15-410, F'08 Protection vs. Security

Textbook's distinction  Protection happens inside a computer  Which parts may access which other parts (how)?  Security considers external threats  Is the system's model intact or compromised?

6 15-410, F'08 Protection

Goals  Prevent intentional attacks  “Prove” access policies are always obeyed  Detect bugs  “Wild pointer” example Policy specifications  System administrators  Users - May want to add new privileges to system

7 15-410, F'08 Objects

Hardware  Exclusive-use: printer, serial port, CD writer, ...  Fluid aggregates: CPU, memory, disks, screen Logical objects  Files  Processes  TCP port 25  Database tables

8 15-410, F'08 Operations

Depend on object!  Disk: read_sector(), write_sector()  CD-ROM: read_sector(...)  TCP port: advertise(...)  CPU  Conceptually: context_switch(...),  More sensibly: realtime_schedule(..., ...)

9 15-410, F'08 Access Control

Basic access control  Your processes should access only “your stuff”  Implemented by many systems

10 15-410, F'08 Access Control

Basic access control  Your processes should access only “your stuff”  Implemented by many systems Principle of least privilege  (text: “need-to-know”)  cc -c foo.c  should read foo.c, stdio.h, ...  should write foo.o  should not write ~/.cshrc  This is harder

11 15-410, F'08 Who Can Do What?

access right = (object, operations)  /etc/passwd, r  /etc/passwd, r/w process  protection domain  P0  de0u, P1  rbd, ... protection domain  list of access rights  de0u  (/etc/passwd, r), (/afs/andrew/usr/de0u/.cshrc, w)

12 15-410, F'08 Protection Domain Example

Domain 1  /dev/null, read/write  /usr/davide/.cshrc, read/write  /usr/rbd/.cshrc, read Domain 2  /dev/null, read/write  /usr/rbd/.cshrc, read/write  /usr/davide/.cshrc, read

13 15-410, F'08 Using Protection Domains

Least privilege requires domain changes  Doing different jobs requires different privileges  One printer daemon, N users  Print each user's file with minimum necessary privileges...

14 15-410, F'08 Using Protection Domains

Least privilege requires domain changes  Doing different jobs requires different privileges  One printer daemon, N users  Print each user's file with minimum necessary privileges... Two general approaches  Hold constant “process  domain” mapping  Requires domains to add and drop privileges  User “printer” gets & releases permission to read your file  Hold constant privileges of a domain  Processes domain-switch between high-privilege, low- privilege domains  Printer process opens file as you, opens printer as “printer” 15 15-410, F'08 Protection Domain Models

Three sample models  Domain = user  Domain = process  Domain = procedure  (other models are possible)

16 15-410, F'08 Domain = User

Object permissions depend on who you are All processes you are running share privileges Privilege adjustment?  Log off, log on (i.., domain switch)

17 15-410, F'08 Domain = Process

Resources managed by special processes  Printer daemon, file server process, ... Privilege adjustment?  Objects cross domain boundaries via IPC  “Please send these bytes to the printer” /* concept only; pieces missing */ s = socket(AF_UNIX, SOCK_STREAM, 0); connect(s, pserver, sizeof pserver); mh->cmsg_type = SCM_RIGHTS; mh->cmsg_len[0] = open(“/my/file”, 0, 0); sendmsg(s, &mh, 0); 18 15-410, F'08 Domain = Procedure

Processor limits access at fine grain  Hardware protection on a per-variable basis! Domain switch – Inter-domain procedure call  nr = print(strlen(buf), buf);  What is the “correct domain” for print()?  Access to OS's data structures  Permission to call OS's internal putbytes()  Permission to read user's buf

19 15-410, F'08 Domain = Procedure

Processor limits access at fine grain  Hardware protection on a per-variable basis! Domain switch – Inter-domain procedure call  nr = print(strlen(buf), buf);  What is the “correct domain” for print()?  Access to OS's data structures  Permission to call OS's internal putbytes()  Permission to read user's buf  Ideally, correct domain automatically created by hardware  Common case: “user mode” vs. “kernel mode” » Only a rough approximation of the right domain » But simple for hardware to implement 20 15-410, F'08 Unix “setuid” concept

Assume Unix protection domain  numeric user id  Not the whole story! This overlooks:  Group id, group vector  Process group, controlling terminal  Superuser  But let's pretend for today Domain switch via setuid executable  Special permission bit set with chmod u+s file  Meaning: exec() sets uid to executable file's owner  Gatekeeper programs  “lpr ” run by anybody can access printer 's queue files

21 15-410, F'08 Access Matrix Concept

Concept  Formalization of “who can do what” Basic idea  Store all permissions in a matrix  One dimension is protection domains  Other dimension is objects  Entries are access rights

22 15-410, F'08 Access Matrix Concept

File1 File2 File3 Printer D1 rwxd r D2 r rwxd w D3 rwxd rwxd rwxd w D4 r r r

23 15-410, F'08 Access Matrix Details

OS must still define process  domain mapping OS must define, enforce domain-switching rules  Ad-hoc approach  Special domain-switch rules (e.g., log off/on)  Can encode domain-switch in access matrix!  Switching domains is a privilege like any other...  Add domain columns (domains are objects)  Add switch-to rights to domain objects » “D2 processes can switch to D1 at will”  Subtle (dangerous)

24 15-410, F'08 Adding “Switch-Domain” Rights

File1 File2 File3 D1 D1 rwxd r D2 r rwxd s D3 rwxd rwxd rwxd D4 r r r

25 15-410, F'08 Updating the Matrix

Ad-hoc approach  “System administrator” can update matrix Matrix approach  Add copy rights to objects  Domain D1 may copy read rights for File2  So D1 can give D2 the right to read File2

26 15-410, F'08 Adding Copy Rights

File1 File2 File3 D1 rwxdR r D2 r rwxd D3 rwxd rwxd rwxd D4 r r r

27 15-410, F'08 Adding Copy Rights

File1 File2 File3 D1 rwxdR r D2 r r rwxd D3 rwxd rwxd rwxd D4 r r r

28 15-410, F'08 Updating the Matrix

Add owner rights to objects  D1 has owner rights for O47  D1 can modify the O47 column at will  Can add, delete rights to O47 from all other domains Add control rights to domain objects  D1 has control rights for D2  D1 can modify D2's rights to any object  D1 may be teacher, parent, ...

29 15-410, F'08 Access Matrix Implementation

Implement matrix via matrix?  Huge, messy, slow Very clumsy for...  “world readable file”  Need one entry per domain  Must fill rights in when creating new domain  “private file”  Lots of blank squares » Can Alice read the file? - No » Can Bob read the file? - No » ... Two typical approaches – “ACL”, “capabilities” 30 15-410, F'08 Access Control List

File1 D1 D2 r D3 rwxd D4 r

31 15-410, F'08 Access Control List (ACL)

List per matrix column (object)  de0u, read; bmm, read+write Naively, domain = user AFS ACLs  domain = user, user:group, system:anyuser, machine list (system:campushost)  positive rights, negative rights  de0u:staff rlid  nwf -id Doesn't really do least privilege  System stores many privileges per user, permanently... 32 15-410, F'08 Capability List

File1 File2 File3 D1 rwxdR r

33 15-410, F'08 Capability Lists

Capability Lists  List per matrix row (domain)  Naively, domain = user  More typically, domain = process Permit least privilege  Domains can transfer & forget capabilities  Possible to create “just right” domains » cc which can't write to .cshrc  Bootstrapping problem  Who gets which rights at boot?  Who gets which rights at login?  Typical solution: store capability lists in files somehow 34 15-410, F'08 Mixed Approach

Permanently store ACL for each file  Must fetch ACL from disk to access file  ACL fetch & evaluation may be long, complicated open() checks ACL, creates capability  “Process 33 has read-only access to vnode #5894”  Records access rights for this process  Quick verification on each read(), write()  Result: per-process fd table “caches” results of ACL checks

35 15-410, F'08 Internal Protection?

Understood so far:  Which user process should be allowed to access what?  Job performed by OS  How to protect OS code, data from user processes  Hardware user/kernel boundary Can we do better?  Can we protect parts of the OS from other parts?

36 15-410, F'08 Traditional OS Layers

User Program Print Queue Page System Disk Device Driver

37 15-410, F'08 Traditional OS Layers

User Program Print Queue Smaller File System Simpler More Critical Page System Disk Device Driver

38 15-410, F'08 Traditional OS Layers

User Program Print Queue File System Equally Page System Trusted!! Disk Device Driver

39 15-410, F'08 Traditional OS Layers

User Program Print Queue File System Wild Pointer Page System Access Disk Device Driver

40 15-410, F'08 Multics

Multics =  Multiplexed Information and Computing Service  Plan: “information utility”  Mainframe per city Designed to scale  Many users, many programmers  Protection seen as a key ingredient of reliability

41 15-410, F'08 Multics Approach

Trust hierarchy Small “simple” very-trusted kernel  Main job: access control  Goal: “prove” it correct Privilege layers (nested “rings”)  Ring 0 = kernel, “inside” every other ring  Ring 1 = core  Ring 2 = operating system services  ...  Ring 7 = user programs

42 15-410, F'08 Multics Ring Architecture

Segmented virtual address space  One segment per software module or data file  “Print module” may contain  Entry points in a code segment » list_printers() , list_queue() , enqueue() , ...  Data segment » List of printers, accounting data, queues  Segment  file (segments persist across reboots)  VM permissions focus on segments, not pages Access checked by hardware  Which procedures can you call?  Is access to that segment's data legal? 43 15-410, F'08 Multics Rings

Kernel

Disk Page Store File System

44 15-410, F'08 Multics Rings

Kernel Wild Pointer Access Disk Page Store File System

45 15-410, F'08 Multics Rings

Fault

Kernel Wild Pointer Access Disk Page Store File System

46 15-410, F'08 Multics Domain Switching

CPU has current ring number register  Current privilege level, [0..7] Segment descriptors include  “Traditional stuff”  Segment's limit (size)  Segment's base in physical memory  Ring number  Access bracket [min, max]  Segment “appears in” ring min...ring max  Access bits (read, write, execute)  Entry limit  List of gates (procedure entry points) 47 15-410, F'08 Multics Domain Switching

Every procedure call is a potential domain switch Calling a procedure at current privilege level?  Just call it Calling a more-privileged procedure?  Call mechanism checks entry point is legal  We enter more-privileged mode  Called procedure can read & write all of our data Calling a less-privileged procedure?  We want to show it some of our data (procedure params)  We don't want it to modify our data

48 15-410, F'08 Multics Domain Switching

min <= current-ring <= max  We are executing in ring 3  Procedure is “part of” rings 2..4  Standard procedure call

49 15-410, F'08 Multics Domain Switching

current-ring > max  Calling a more-privileged procedure  It can do whatever it wants to us Implementation  Hardware traps to ring 0 permission-management kernel  Ring 0 checks current-ring < entry-limit  User code may be forbidden to call ring 0 directly  Checks call address is a legal entry point  Less-privileged code can't jump into middle of a procedure  Sets current-ring to segment-ring  Privilege elevation – after consulting callee's rules  Runs procedure call 50 15-410, F'08 Multics Domain Switching

current-ring < min  Calling a less-privileged procedure Implementation  Trap to ring 0 permission-management kernel  Ring 0 copies “privileged” procedure call parameters  Must be in low-privilege segment for callee to access  Sets current-ring to segment-ring  Privilege lowering – callee gets r/o access to carefully chosen privileged state  Runs procedure call

51 15-410, F'08 Multics Ring Architecture

Does this look familiar?  It should really remind you of something... Benefits  Core security policy small, centralized  Damage limited vs. Unix “superuser”' model Concerns  Hierarchy  least privilege  Requires specific hardware  Performance (maybe)

52 15-410, F'08 More About Multics

Back to the future  Symmetric multiprocessing  Hierarchical file system (access control lists)  Memory-mapped files  Hot-pluggable CPUs, memory, disks  1969!!! Significant influence on Unix  Ken Thompson was a Multics contributor The One True OS  In use 1968-2000  www.multicians.org 53 15-410, F'08 Mentioning EROS

Text mentions , CAP  Late 70's, early 80's  Dead EROS (“Extremely Reliable Operating System”)  UPenn, Johns Hopkins  Based on commercial GNOSIS/KeyKOS OS  www.-os.org  “Arguably less dead” (see below)

54 15-410, F'08 EROS Overview

“Pure capability” system  “ACLs considered harmful” “Pure principle system”  Don't compromise principle for performance Aggressive performance goal  Domain switch ~100X procedure call Unusual approach to capability-bootstrap problem  Persistent processes!

55 15-410, F'08 Persistent Processes??

No such thing as reboot Processes last “forever” (until exit) OS kernel checkpoints system state to disk  Memory & registers defined as cache of disk state Restart restores system state into hardware “Login” reconnects you to your processes

56 15-410, F'08 EROS Objects

Disk pages  capabilities: read/write, read-only Capability nodes  Arrays of capabilities Numbers  Protected capability ranges  “Disk pages 0...16384” Process – executable node

57 15-410, F'08 EROS Revocation Stance

Really revoking access is hard  The user could have copied the file Don't give out real capabilities  Give out proxy capabilities  Then revoke however you wish Verdict  Not really satisfying  Unclear there is a better answer  Palladium/“trusted computing” isn't clearly better

58 15-410, F'08 EROS Quick Start

http://www.eros-os.org/  essays/  reliability/paper.html  capintro.html  wherefrom.html  ACLSvCaps.html Current status  EROS code base transitioned to CapROS.org  Follow-on research project at Coyotos.org

59 15-410, F'08 Concept Summary

Object  Operations Domain  Switching Capabilities  Revoking is hard, see text “Protection” vs. “security”  Protection is what our sysadmin hopes is happening...

60 15-410, F'08